{"id":19010628,"url":"https://github.com/rhiokim/thorn","last_synced_at":"2026-04-24T09:30:17.391Z","repository":{"id":137347946,"uuid":"76640941","full_name":"rhiokim/thorn","owner":"rhiokim","description":"(WIP...) WAF(web application firewall) with NignX and Naxsi","archived":false,"fork":false,"pushed_at":"2018-06-30T05:32:29.000Z","size":1081,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-01-01T21:24:49.620Z","etag":null,"topics":["firewall","naxsi","nginx","waf"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rhiokim.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-12-16T09:32:21.000Z","updated_at":"2023-05-12T16:45:52.000Z","dependencies_parsed_at":null,"dependency_job_id":"d33ac45d-663a-4071-a07c-47ed25b623da","html_url":"https://github.com/rhiokim/thorn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhiokim%2Fthorn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhiokim%2Fthorn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhiokim%2Fthorn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhiokim%2Fthorn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rhiokim","download_url":"https://codeload.github.com/rhiokim/thorn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240038150,"owners_count":19738086,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firewall","naxsi","nginx","waf"],"created_at":"2024-11-08T19:11:57.645Z","updated_at":"2026-04-24T09:30:17.324Z","avatar_url":"https://github.com/rhiokim.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ![](assets/thorn-of-crown.jpg)\n\n## Diagram\n\n```\nnginx-naxsi (port:81)\n  \\_ /etc/nginx/nginx.conf --- proxy_pass to wordpress --- wordpress(port: 8080) + mariadb\n  \\_ /var/log/error.log\n  \\_ naxsi_core.rule\n  \\_ nxapi/nxapi.json (configure elastic search)\n\nnginx-zmq-log\n  \\_ /etc/nginx/nginx.conf --- `log_zmq_server thorn-zmq-sub:5556`\n\nthron-ui (not ready yet)\n\nthorn-zmq-sub (port:5556)\n\nthorn-netfilter (blank: 80, netfilter api: 8082, dummy web server: 9000)\n```\n\n![Thron VPC](assets/RASP_WAF.001.png)\n\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\n      \u003cimg src=\"https://github.com/rhiokim/thorn/raw/master/assets/RASP_WAF.002.png\" /\u003e\n    \u003c/td\u003e\n    \u003ctd\u003e\n      \u003cimg src=\"https://github.com/rhiokim/thorn/raw/master/assets/RASP_WAF.003.png\" /\u003e\n    \u003c/td\u003e\n    \u003ctd\u003e\n      \u003cimg src=\"https://github.com/rhiokim/thorn/raw/master/assets/RASP_WAF.004.png\" /\u003e\n    \u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n## How to run\n\n### Test Machine\n\nPlease skip this step, if you do not run naxsi with nginx on your host OS\n\n```\n$ export DOCKER_HOST=10.40.219.150:2376 // test01\n```\n\n### with VM\n\nPlease skip this step too, if you do not run naxsi with nginx on your Virtual OS\n\n```bash\n$ make create-machine\n$ docker-machine ip naxsi-test-env\nNAME             ACTIVE   DRIVER       STATE     URL                         SWARM   DOCKER    ERRORS\nnaxsi-test-env   -        virtualbox   Running   tcp://192.168.99.100:2376           v1.12.4\n\n$ export DOCKER_HOST=192.168.99.100:2376 // vm\n```\n\n### Wordpress + MariaDB\n\n```bash\n$ docker run -e MYSQL_ROOT_PASSWORD=wordpress -e MYSQL_DATABASE=wordpress --name wordpressdb -v \"$PWD/db\":/var/lib/mysql -d mariadb:latest\n\n$ docker run -e WORDPRESS_DB_PASSWORD=wordpress --name wordpress --link wordpressdb:mysql -p 8080:80 -v \"$PWD/html\":/var/www/html -d wordpress\n\n//or\n\n$ make run-blog\n```\n\n- https://www.upcloud.com/support/wordpress-with-docker/\n- https://docs.docker.com/compose/wordpress/\n\n### NginX + Naxsi\n\n```bash\n$ make build\n$ make run-naxsi\n```\n\n#### Naxsi Test\n\n```bash\n$ curl \"http://10.40.219.150/?a=\u003c\"\n```\n\n### Elastic Search\n\n```bash\n$ docker pull elasticsearch\n$ docker run -dit --name elasticsearch -p 9200:9200 -p 9300:9300 elasticsearch\n\n// or\n\n$ make run-elastic\n\n// create elastic search index and test call\n$ curl -X GET http://localhost:9200\n$ curl -X PUT http://localhost:9200/nxapi\n```\n\n#### Import Nginx log to Elastic Search\n\n```bash\n$ ./nxtool.py -c nxapi.json --files=/var/log/nginx/localhost_error80.log\n```\n\n#### Get log data from Elastic Search\n\n```bash\n$ curl -X POST \"http://10.40.219.150:9200/nxapi/events/_search?pretty\" -d {}\n```\n\n#### To generate whitelists for DOMAIN\nI want to generate whitelists for 10.40.219.150, so I will get more precise statistics first\n\n```bash\n$ ./nxtool.py -c nxapi.json -s 10.40.219.150 -f\n$ ./nxtool.py -c nxapi.json -f --slack --colors | grep BasicRule\n$ ./nxtool.py -c nxapi.json -f --slack --colors | grep BasicRule \u003e /etc/nginx/custom.rules\n```\n\n- see more: https://github.com/nbs-system/naxsi/tree/master/nxapi#2-generate-whitelists\n\n#### To Troublshoot with newest Elastic Search docker image on VM\nIf you get the memory issue of elastic search container inside vm please see this QA\n- http://stackoverflow.com/questions/34619215/docker-toolbox-cannot-allocate-memory\n\nmax virtual memory areas vm.max_map_count [65530] is too low\n- https://github.com/spujadas/elk-docker/issues/92\n\n```bash\n$ sysctl -w vm.max_map_count=262144\n```\n\nIf `fielddata` issue is happen with newest Elastic Search, when nxtool generate whitelist.\n\nYou should patch it as follow\n```\nPUT ~/nxapi/_mapping/events\n{\n  \"properties\": {\n    \"id\": {\n        \"type\": \"text\",\n        \"fielddata\": true,\n        \"fields\": {\n            \"keyword\": {\n                \"type\": \"keyword\",\n                \"ignore_above\": 256\n            }\n        }\n    }\n  }\n}\n```\n- https://www.elastic.co/guide/en/elasticsearch/reference/5.0/fielddata.html\n\n#### nginx_zmq_log within newest nginx\n\nConfigure: removed the --with-ipv6 option. IPv6 now compiled-in automatically if support is found. If there is a need to disable it for some reason, --with-cc-opt=\"-DNGX_HAVE_INET6=0\" can be used for this.\n\n---\n\nTo compile a third-party module that has been converted, use the new --add-dynamic-module argument and specify the path:\n\n#### ./configure --add-dynamic-module=/path/to/module/source\nAs with NGINX modules, a shared object is created and installed in the modules subdirectory, and you add a load_module directive for it to the NGINX configuration. Our developer relations team is available to assist with converting a module. Contact us via the NGINX development mailing list.\n\n- https://www.nginx.com/blog/dynamic-modules-nginx-1-9-11/\n\n---\n\n`ngx_zmq_log` module doesn't work well with nginx. There is no problem, when it's compiled with nginx. But it's not run cause of `dlopen: undefined symbol ngx_zmq_log`\n\n#### nginx_zmq_log dynamic module compile with nginx\n\n```\n./configure --conf-path=/etc/nginx/nginx.conf \\\n    --add-dynamic-module=../nginx-log-zmq-master \\\n    --with-ld-opt=\"-lzmq\"\n```\n\n#### ngx_zmq_log configuration in nginx.conf\n\n```\nhttp {\n  log_zmq_server main 172.17.0.4:5556 tcp 4 1000;  # required\n\n  log_zmq_endpoint  main \"\";  # required\n\n  log_zmq_format main '{\"remote_addr\":\"$remote_addr\", \"remote_user\":\"$remote_user\",'\n                      '\"request\":\"$request\", \"status\":\"$status\",'\n                      '\"body_bytes_sent\":\"$body_bytes_sent\",'\n                      '\"http_referer\": \"$http_referer\", \"http_user_agent\":\"$http_user_agent\",'\n                      '\"http_x_forwarded_for\": \"$http_x_forwarded_for\",'\n                      '\"time_local\":\"$time_local\"}';  # required\n}\n```\n\n## TODO\n\n\n### References\n- https://github.com/colstrom/docker-nginx-naxsi\n- http://stackoverflow.com/questions/40078424/how-could-i-run-nginx-naxsi-in-baseimage\n- http://qiita.com/jey0taka/items/ee170239b242fc77887a\n- https://github.com/nbs-system/naxsi/tree/master/nxapi\n- https://www.nginx.com/resources/wiki/modules/log_zmq/#log-zmq-installation\n- http://bravenewgeek.com/a-look-at-nanomsg-and-scalability-protocols/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhiokim%2Fthorn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frhiokim%2Fthorn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhiokim%2Fthorn/lists"}